Age | Commit message (Collapse) | Author | Files | Lines |
|
the PAM_SUCCESS block.
Guenther
(This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
|
|
* Consolidate all pam_winbind password expiry warnings in the one
_pam_send_password_expiry_message() call.
* Also convert some more NTSTATUS codes to error messages.
* Add paranoia check to only do all the post-processing after PAM_SUCCESS.
Guenther
(This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
|
|
Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.
Guenther
(This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
|
|
pam_winbind.
Guenther
(This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
|
|
Guenther
(This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
|
|
Guenther
(This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
|
|
calling application.
Guenther
(This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
|
|
(This used to be commit 1d46b2ae3447b3521987b2ab1064a6ea314cfa07)
|
|
lookup when we actually are. Although the Linux nss winbind backend
protects against num_mem != 0 && buf == NULL.
Guenther
(This used to be commit a9ac4630b46242f88bd7a4e92511b55cc82e9940)
|
|
Guenther
(This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
|
|
Guenther
(This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
|
|
received NT_STATUS_PASSWORD_RESTRICTION.
Guenther
(This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
|
|
requests in pam_winbind (Bug #4094).
Inspired by fix from Lars Heete.
Guenther
(This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
|
|
(This used to be commit 5c36d67d272a52f58532daa3c3c09b8f8b6a34e0)
|
|
Guenther
(This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
|
|
(This used to be commit 6b754f7c96400d5d1f14e807aac0aa925c45eefb)
|
|
online handler for internal (local SAM, BUILTIN) childs. Jeremy, please
check.
Guenther
(This used to be commit 7d0e2e70684a7e3d377f56ed0244ed136b0b1a99)
|
|
have a build failure in 3.0.24 in event_add_timed ?
Jeremy
(This used to be commit ede30a8b4b705808d9c46ae848f5cbd89a808cdc)
|
|
we may not just assume that we look for our own realm's dcs next.
Guenther
(This used to be commit bf0c4ce7b1194e18cc16a044b042d0066463cf87)
|
|
on the samba-technical ml. The replacement character is hardcoded
as a '_' for now.
(This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
|
|
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
|
|
lived in trustdom_recv().
Jeremy, this is the better place I think but please check.
Guenther
(This used to be commit beed8b8b320ae9bd8aef669564a5403e4bb35bfd)
|
|
outside the idmap daemon
(This used to be commit 57160e3dd96a7a776389da604393c20a738202ea)
|
|
write to a separate logfile.
Guenther
(This used to be commit 0313edc0d66c26b5acb6250e0f146218a02b42cd)
|
|
* make debug_state also configurable from the config file
* minor code cleanup
Guenther
(This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
|
|
Guenther
(This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
|
|
Jeremy, we really can't do that. There are setups with hundred and more
trusted domains out there, I have one customer who tells me it takes
more then half an hour for him after winbind is up and running. That
request registers the check_domain_online_handler which in turn forks
off the child immediately. Also discussed with Volker.
Guenther
(This used to be commit ccd4812c0b436a12b809668d09c5681111125f3d)
|
|
Jerry, the switch statement must ignore the PAM_SILENT flag.
Guenther
(This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
|
|
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
|
|
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
|
|
* Remove anpther check for PAM_SILENT that prevents logging to syslog
* Add missing check for TRY_FIRST_PASS when using authtok (missed
from previous merge)
(This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
|
|
Details: Improve PAM logging
- The improved logging is far tracking down PAM-related bugs
- PAM_SILENT was being mis-used to suppress syslog output instead of
suppressing user output. This lets PAM_SILENT still log to syslog.
- Allow logging of item & data state via debug_state config file option.
- Logging tracks the pam handle used.
(This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
|
|
Details: Reset the "new password prompt required" state whenever
we do a new auth. In more detail, in pam_sm_authenticate, if not
settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially
present PAM_WINBIND_NEW_AUTHTOK_REQD.
(This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
|
|
Patch details:
Support most options in pam_winbind.conf; support comma-separated names in
require-membership-of. Details below:
1) Provides support for almost all config options in pam_winbind.conf
(all except for use_first_pass, use_authtok, and unknown_ok).
- That allows us to work well when invoked via call_modules from
pam_unix2.conf as well as allowing use of spaces in names used
w/require_membership_of.
2) Support for comma-separated list of names or SID strings in
require_membership_of/require-membership-of.
- Increased require_membership_of field in winbind request from fstring
(256) to pstring (1024).
- In PAM side, parse out multiple names or SID strings and convert
all of them to SID strings.
- In Winbind side, support membership check against multiple SID strings.
(This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
|
|
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
|
|
(This used to be commit 8052a18f29d32f37c52868b17143af8d76bf5e6e)
|
|
(This used to be commit 8c23158f053b181421cb6206db7c8030ddcc2cea)
|
|
(This used to be commit 7011a1b5abc7d56da5beba904e3328014f315f0d)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
domain SID lookups through the struct winbindd_domain *domain_list
by searching by name.
Refactor the order lookup when searching for the correct idmap_domain
to a single function and remove the requirement that the default
domain be listed first in the config file.
I would still like to make the idmap_domain array a linked list and
remove the existing code which makes use of indexes into the list.
Basic testing with tdb pans out ok.
(This used to be commit e6c300829ff08dd354f6e9460d396261681e4809)
|
|
Jeremy.
(This used to be commit 018d7805b5ecb17e21e1a55b6cc65efaab4b3f63)
|
|
Jeremy.
(This used to be commit a2222a565c658fe5154d9321edab69a95ddeed15)
|
|
(This used to be commit e635bad00ecf083c34da339e3616c945a140e478)
|
|
chnage fails due to policy settings where as 2003 (the chgpasswd3()
request) fails with NT_STATUS_PASSWORD_RESTRICTION. Thunk down
to the same return code so we correctly retreive the password policy
in both cases.
(This used to be commit 262bb80e9cf7fb6dbf93144ae0b939c84ec0ea04)
|
|
the stored client sitename with the sitename from each sucessfull CLDAP
connection.
Guenther
(This used to be commit 6a13e878b5d299cb3b3d7cb33ee0d51089d9228d)
|
|
ask for the list of DCs twice.
Guenther
(This used to be commit a9baf27e1348dd6dadd7a2fafdf9c269087b80ac)
|
|
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
|
|
Guenther
(This used to be commit fb730e1e7bb83d7dcf8a78302268e384fb9676ee)
|
|
This add a struct event_context and infrastructure for fd events to smbd. This
is step zero to import lib/events.
Jeremy, I rely on you to watch the change in receive_message_or_smb()
closely. For the normal code path this should be the only relevant change. The
rest is either not yet used or is cosmetic.
Volker
(This used to be commit cd07f93a8aecb24c056e33b1ad3447a41959810f)
|
|
so that
in the next step we can store them in LDAP to be replicated across DCs.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
|